Samsung Knox, SEAMS, and SAFE

Endpoint Management supports and extends both Samsung for Enterprise (SAFE) and Samsung Knox policies on compatible Samsung devices. Samsung Knox includes the SE for Android Management Service (SEAMS). SEAMS provides API-level control of the Samsung security policy engine.

To control how and when Android devices connect to the Endpoint Management service, use Firebase Cloud Messaging (FCM). For information, see Firebase Cloud Messaging.

Endpoint Management enrolls Android devices into MDM+MAM or MDM mode, with the option for users to register in MAM-only mode. Endpoint Management supports the following authentication types for Android devices in MDM+MAM mode. For information, see the articles under Certificates and authentication.

  • Domain
  • Domain plus security token
  • Client certificate
  • Client certificate plus domain
  • Identity providers:
    • Azure Active Directory
    • Citrix Identity provider

Another rarely used authentication method is client certificate plus security token. For information, see

A general workflow for starting Android device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Deploy Samsung license keys.

  4. Enable Samsung Knox attestation.

  5. Configure Samsung device policies.

  6. Set up device and app security actions. See Security actions.

For supported operating systems, see Supported device operating systems.

Supported enrollment methods

The following table lists the enrollment methods that Endpoint Management supports for Android devices:

Method Supported
Bulk enrollment Yes (Knox)
Manual enrollment Yes
Enrollment invitations Yes

You can use Samsung Knox Mobile Enrollment to enroll multiple Samsung Knox devices into Endpoint Management (or any mobile device manager) without manually configuring each device. For information, see Samsung Knox Bulk Enrollment.

For information about enrolling devices, see Enroll Android devices.

Deploy Samsung license keys

Samsung has Enterprise License Management (ELM) keys and Knox License Management (KLM) keys. You purchase Samsung licenses from Samsung.

  • Knox: The Knox platform requires that you purchase a Samsung Knox Workspace license. To enable the Knox APIs and deploy Knox policies and restrictions to devices, first configure the Endpoint Management device policy, Samsung MDM license key. To activate Knox, you must push at least one Restriction device policy specifically for Knox along with the ELM and KLMS key.

    For HTC-specific policies, Endpoint Management supports HTC API version 0.5.0. For Sony-specific policies, Endpoint Management supports Sony Enterprise SDK 2.0.

  • SAFE: Deploy the built-in Samsung ELM key to a device before deploying SAFE policies and restrictions. To deploy that key, configure the Endpoint Management device policy, Samsung MDM license key.

Samsung Enterprise Firmware-Over-The-Air (E-FOTA) service

Endpoint Management also supports the Samsung Enterprise Firmware-Over-The-Air (E-FOTA) service. Samsung E-FOTA lets you determine when devices get updated, determine the firmware version to use, and test updates before deploying them. For information, see Configure Samsung E-FOTA settings.

Enable Samsung Knox attestation

You can configure Endpoint Management to query the Samsung Knox attestation server REST APIs.

Samsung Knox applies hardware security capabilities that provide multiple levels of protection for the operating system and applications. One level of this security resides at the platform through attestation. An attestation server provides verification of the mobile device core system software (for example, the boot loaders and kernel). The verification occurs at runtime based on data collected during trusted boot.

  1. In the Endpoint Management web console, click the gear icon in the upper-right corner. The Settings page appears.

  2. Click Samsung Knox.

    Image of the Samsung Knox page

  3. Set Enable Samsung Knox attestation to Yes to enable Samsung Knox attestation. The default is No.

  4. In the Web service URL list, do one of the following:

    • Click the appropriate attestation server.

    • Click Add new and then enter the Web service URL.

  5. Click Test Connection to verify the connection. A success or failure message appears.

  6. Click Save.

Configure Samsung device policies

Device policies for Samsung Knox:

App Restrictions App Uninstall Browser
Copy Apps to Samsung Container Exchange Knox Platform for Enterprise key
Passcode Restrictions Samsung MDM License key

Device policies for Samsung SAFE:

App Uninstall Restrictions Browser Exchange
Firewall Kiosk Knox Platform for Enterprise
OS update Restrictions Samsung MDM License key
Storage Encryption VPN  

Device policies for Samsung SEAMS:

Copy Apps to Samsung Container    

Security actions

Android supports the following security actions. For a description of each security action, see Security actions.

App Lock App Wipe Certificate Renewal
Full Wipe Locate Lock
Lock and Reset Password Notify Revoke
Selective Wipe    


For devices running Android 6.0 and greater, the Locate security action requires the user to grant Location permission during enrollment. The user can opt not to grant Location permission. If the user doesn’t grant the permission during enrollment, Endpoint Management again requests location permission when sending the Locate command.